The internet of things (IoT) is changing nearly every industry. Smart devices that can collect and process data, and even make decisions based on that data, though artificial intelligence promises to disrupt business as we know it for years to come.
However, there are some legitimate concerns. The more connected devices your company has, the more potential vulnerabilities are out there. As business owners we want to be able to access the data we collect through the IoT, but we also need to be able to protect that data, and we bear the responsibility for keeping that data secure.
This, like many areas of business, is a time for brutal honesty. If you have vulnerabilities, you need to fix them. You don’t want to be part of the headlines about companies who acted too late or not at all. Your security must adapt to the IoT, and it needs to do so now.
Is the internet of things threatening your company’s security? There are a few questions you will need to ask yourself and your IT department to truly determine the answer:
How do I know?
Most experts agree that the weakness in any network is the devices that make up the IoT. For example, if you have smart light bulbs in your home, they are likely controlled by a hub which not only provides you with more flexibility in controlling them, but also provides security so they do not become a weak point in your network.
This is why an intrusion detection system (IDS) is so important. Technologies from companies like AlienVault allow you to monitor for threats and even give you advice on how to prevent harm from them. Remember there is more than one area of vulnerability in any system. Cloud-based IDS, network IDS, and host-based IDS, along with file integrity management systems, are all essential parts of your strategy.
These alerts tell you there is an attack and can even reveal threats to you, which allows you to put remediation and prevention strategies in place. But what are the threats you should be aware of?
What are the threats?
Why don’t we have houses that are completely smart and controlled by IoT devices? What about our cars? Part of the reason is that a hacker with the right tools could potentially take over control of a house or even a connected car from the owner or driver. For example, the Bangladesh National Bank lost $81 million due to an IoT-based attack.
What are these types of attacks? There are actually several, and they mirror other types of cyberattacks.
- Distributed Denial of Service (DDoS): Chrysler/Jeep was vulnerable to this type of attack. Essentially, control of devices or a system is taken by a hacker. Sometimes this comes with ransomware, where the owner or user has to pay to get that control back.
- Malware: IoT devices can be used by an attacker to spread malware, sometimes to more than one device.
- Botnets: A botnet is a network of computers that are infected and used to perform malicious attacks like the fridge that was sending SPAM emails.
We hear about these types of attacks in the news on a regular basis, and unfortunately as security evolves and gets better, hackers innovate as well, finding new ways to get past security measures. They are always searching for vulnerabilities, so you and your business must be just as vigilant as they are.
What preventative actions can I take?
The risks are clearly out there. Just knowing there is an attack and the types of attacks is not enough, however. You also need to know how to prevent them. This is a multipronged answer, but there are some simple, general steps any business can implement to prevent all but the most determined of attacks or at least slow them down.
Buy the Right Devices
Whether they are for your home or your business, purchasing the right devices in the first place, ones with good security ratings, is probably the most important step. Do they plug into a controller or have a controller of their own? What level of security does it and the device itself have?
This means doing some research beyond the hype on the product or company website. Look at other online review sites, scroll through forums and groups about security, and simply just ask IT security professionals who you know or who work for you.
Change Passwords from Defaults and Use Strong Ones
This may be something that seems obvious, but the number of times that an IT professional can walk into a business or someone’s home and open a device or network with a default password is amazing. Even more frequently, passwords are simple to guess or are just extremely weak.
This is perhaps the most frequently vulnerable area of any system, yet it is easily prevented. You can use a password-generator program like LastPass or even iCloud keychain if you are a Mac user, and the program will remember your passwords for you. There’s no reason not to have strong passwords and change them often.
Hire the Right People
This may be the most important point of all. Encryption, comprehensive security solutions and all of the above actions depend on people, both those who know how to implement them and the employees who use them.
- Hire the right IT people. A degree matters in many fields, and IT is one of them. Hire someone with a degree in information systems and security, and if they have been in the workforce for a while, look at continuing education and how up-to-date they are on the latest techniques and technology.
- Educate your employees: There should be regular classes company-wide on what the latest IoT devices are, how they are vulnerable, and how employees play a role in protecting themselves and the company.
- Address issues right away. If you have a personnel issue or find that someone is out of compliance with your policies, take corrective action immediately. Your security is only as strong as its weakest link, and often that is the person in front of the computer.
Anyone who has access to your network is a key player in IoT security. They can bypass many of your safety measures unintentionally. HR plays a big role in this process from the hiring to the training of employees, vendors, and contractors.
The IoT is a wonderful tool in the right hands and a dangerous weapon in the hands of others. Make sure that your company security is not threatened by being vigilant, knowing the threats that are out there, taking preventative action, and hiring the right people to help.